Context Navigation

source: src/router/services/networking/wshaper.c @ 18877

Last change on this file since 18877 was 18877, checked in by BrainSlayer, 14 months ago
get netfilter for bridge working again
File size: 30.5 KB

Line
1	/*
2	* wshaper.c Copyright (C) 2006 Sebastian Gottschall <gottschall@dd-wrt.com>
3	* This program is free software; you can redistribute it and/or modify it
4	* under the terms of the GNU General Public License as published by the Free
5	* Software Foundation; either version 2 of the License, or (at your option)
6	* any later version. This program is distributed in the hope that it will be
7	* useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
8	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
9	* Public License for more details. You should have received a copy of the GNU
10	* General Public License along with this program; if not, write to the Free
11	* Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
12	* 02111-1307, USA. $Id:
13	*/
14
15	#include <stdio.h>
16	#include <stdlib.h>
17	#include <string.h>
18	#include <signal.h>
19	#include <unistd.h>
20	#include <errno.h>
21	#include <sys/types.h>
22	#include <sys/stat.h>
23	#include <sys/socket.h>
24	#include <netinet/in.h>
25	#include <arpa/inet.h>
26	#include <wait.h>
27
28	#include <bcmdevs.h>
29	#include <bcmnvram.h>
30	#include <netconf.h>
31	#include <shutils.h>
32	#include <utils.h>
33	#include <cy_conf.h>
34	#include <code_pattern.h>
35	#include <rc.h>
36	#include <services.h>
37
38	char *get_wshaper_dev(void)
39	{
40	if (nvram_match("wshaper_dev", "WAN"))
41	return get_wan_face();
42	else
43	return "br0";
44	}
45
46	static char *get_mtu_val(void)
47	{
48	if (nvram_match("wshaper_dev", "WAN")
49	&& !strcmp(get_wshaper_dev(), "ppp0"))
50	return nvram_safe_get("wan_mtu");
51	else if (nvram_match("wshaper_dev", "WAN")) {
52	if (nvram_match("wan_mtu", "1500"))
53	return getMTU(get_wshaper_dev());
54	else
55	return nvram_safe_get("wan_mtu");
56	} else
57	return getBridgeMTU(get_wshaper_dev());
58	}
59
60	static char *get_wanface(void)
61	{
62	char *dev = get_wan_face();
63
64	if (!strcmp(dev, "br0"))
65	dev = NULL;
66	return dev;
67	}
68
69	static int client_bridged_enabled(void)
70	{
71	// enumerate all possible interfaces
72	char iflist[256];
73	iflist[0] = 0; // workaround for bug in getIfList()
74	getIfList(iflist, NULL);
75
76	static char word[256];
77	char *next;
78	int bridged_clients=0;
79
80	// any interface in client_bridged mode?
81	foreach(word, iflist, next)
82	if (nvram_nmatch("wet", "%s_mode", word))
83	bridged_clients++;
84
85	return bridged_clients;
86	}
87
88	#ifdef HAVE_AQOS
89	#ifdef HAVE_OPENVPN
90	static inline int is_in_bridge(char *interface)
91	{
92	#define BUFFER_SIZE 256
93
94	FILE *fd = NULL;;
95	char buffer[BUFFER_SIZE];
96
97	if (!interface)
98	return 0;
99
100	system2("/usr/sbin/brctl show > /tmp/bridges");
101
102	fd = fopen("/tmp/bridges", "r");
103	if (fd != NULL) {
104	while (fgets(buffer, BUFFER_SIZE, fd) != NULL) {
105	if (strstr(buffer, interface) != NULL) {
106	fclose(fd);
107	return 1;
108	}
109	}
110	fclose(fd);
111	}
112	return 0;
113	}
114	#endif
115	#endif
116
117	#ifdef HAVE_SVQOS
118	void svqos_reset_ports(void)
119	{
120	#ifndef HAVE_XSCALE
121	#ifndef HAVE_MAGICBOX
122	#ifndef HAVE_RB600
123	#ifndef HAVE_FONERA
124	#ifndef HAVE_RT2880
125	#ifndef HAVE_LS2
126	#ifndef HAVE_SOLO51
127	#ifndef HAVE_LS5
128	#ifndef HAVE_X86
129	#ifndef HAVE_WHRAG108
130	#ifndef HAVE_CA8
131	#ifndef HAVE_PB42
132	#ifndef HAVE_LSX
133	#ifndef HAVE_DANUBE
134	#ifndef HAVE_STORM
135	#ifndef HAVE_LAGUNA
136	#ifndef HAVE_OPENRISC
137	#ifndef HAVE_ADM5120
138	#ifndef HAVE_TW6600
139	if (nvram_match("portprio_support", "1")) {
140	writeproc("/proc/switch/eth0/port/1/enable","1");
141	writeproc("/proc/switch/eth0/port/2/enable","1");
142	writeproc("/proc/switch/eth0/port/3/enable","1");
143	writeproc("/proc/switch/eth0/port/4/enable","1");
144
145	writeproc("/proc/switch/eth0/port/1/prio-enable","0");
146	writeproc("/proc/switch/eth0/port/2/prio-enable","0");
147	writeproc("/proc/switch/eth0/port/3/prio-enable","0");
148	writeproc("/proc/switch/eth0/port/4/prio-enable","0");
149
150	writeproc("/proc/switch/eth0/port/1/media","AUTO");
151	writeproc("/proc/switch/eth0/port/2/media","AUTO");
152	writeproc("/proc/switch/eth0/port/3/media","AUTO");
153	writeproc("/proc/switch/eth0/port/4/media","AUTO");
154
155	writeproc("/proc/switch/eth0/port/1/bandwidth","FULL");
156	writeproc("/proc/switch/eth0/port/2/bandwidth","FULL");
157	writeproc("/proc/switch/eth0/port/3/bandwidth","FULL");
158	writeproc("/proc/switch/eth0/port/4/bandwidth","FULL");
159	}
160	#endif
161	#endif
162	#endif
163	#endif
164	#endif
165	#endif
166	#endif
167	#endif
168	#endif
169	#endif
170	#endif
171	#endif
172	#endif
173	#endif
174	#endif
175	#endif
176	#endif
177	#endif
178	#endif
179	}
180
181	int svqos_set_ports(void)
182	{
183	#ifndef HAVE_XSCALE
184	#ifndef HAVE_MAGICBOX
185	#ifndef HAVE_RB600
186	#ifndef HAVE_FONERA
187	#ifndef HAVE_RT2880
188	#ifndef HAVE_LS2
189	#ifndef HAVE_LS5
190	#ifndef HAVE_WHRAG108
191	#ifndef HAVE_CA8
192	#ifndef HAVE_SOLO51
193	#ifndef HAVE_X86
194	#ifndef HAVE_LAGUNA
195	#ifndef HAVE_TW6600
196	#ifndef HAVE_PB42
197	#ifndef HAVE_LSX
198	#ifndef HAVE_DANUBE
199	#ifndef HAVE_STORM
200	#ifndef HAVE_OPENRISC
201	#ifndef HAVE_ADM5120
202	if (nvram_match("portprio_support", "1")) {
203	int loop = 1;
204	char nvram_var[32] = {
205	0
206	}, *level;
207
208	svqos_reset_ports();
209
210	for (loop = 1; loop < 5; loop++) {
211	snprintf(nvram_var, 31, "svqos_port%dbw", loop);
212
213	if (strcmp("0", nvram_safe_get(nvram_var)))
214	writevaproc(nvram_safe_get(nvram_var),"/proc/switch/eth0/port/%d/bandwidth",loop);
215	else
216	writevaproc("0","/proc/switch/eth0/port/%d/enable",loop);
217
218	writevaproc("1","/proc/switch/eth0/port/%d/prio-enable",loop);
219	level = nvram_nget("svqos_port%dprio", loop);
220	char lvl[32];
221	sprintf(lvl,"%d",atoi(level) / 10 - 1);
222	writevaproc(lvl,"/proc/switch/eth0/port/%d/prio",loop);
223	}
224	}
225	#endif
226	#endif
227	#endif
228	#endif
229	#endif
230	#endif
231	#endif
232	#endif
233	#endif
234	#endif
235	#endif
236	#endif
237	#endif
238	#endif
239	#endif
240	#endif
241	#endif
242	#endif
243	#endif
244
245	return 0;
246	}
247
248	#ifdef HAVE_AQOS
249
250	extern void add_userip(char ip, int idx, char upstream, char downstream, char lanstream);
251	extern void add_usermac(char mac, int idx, char upstream, char downstream, char lanstream);
252
253	void aqos_tables(void)
254	{
255	FILE *outips = fopen("/tmp/aqos_ips", "wb");
256	FILE *outmacs = fopen("/tmp/aqos_macs", "wb");
257
258	char *qos_ipaddr = nvram_safe_get("svqos_ips");
259	char *qos_mac = nvram_safe_get("svqos_macs");
260
261	char level[32], level2[32], level3[32], data[32], type[32];
262
263	int qosidx = 0;
264	int ret = 0;
265
266	do {
267	ret = sscanf(qos_mac, "%31s %31s %31s %31s %31s \|", data, level, level2, type, level3);
268	if (ret < 5)
269	break;
270
271	fprintf(outmacs, "%s\n", data);
272	add_usermac(data, qosidx++, level, level2, level3);
273	}
274	while ((qos_mac = strpbrk(++qos_mac, "\|")) && qos_mac++);
275
276	do {
277	ret = sscanf(qos_ipaddr, "%31s %31s %31s %31s \|", data, level, level2, level3);
278	if (ret < 4)
279	break;
280
281	fprintf(outips, "%s\n", data);
282	add_userip(data, qosidx++, level, level2 ,level3);
283	}
284	while ((qos_ipaddr = strpbrk(++qos_ipaddr, "\|")) && qos_ipaddr++);
285
286	fclose(outips);
287	fclose(outmacs);
288	}
289
290	#endif
291
292	int svqos_iptables(void)
293	{
294	char *qos_svcs = nvram_safe_get("svqos_svcs");
295	char name[32], type[32], data[32], level[32];
296
297	char *wshaper_dev = nvram_get("wshaper_dev");
298	char *wan_dev = get_wanface();
299
300	insmod("ipt_mark");
301	insmod("xt_mark");
302	insmod("ipt_CONNMARK");
303	insmod("xt_CONNMARK");
304	insmod("ipt_mac");
305	insmod("xt_mac");
306
307	#ifdef HAVE_OPENDPI
308	insmod("/lib/opendpi/xt_opendpi.ko");
309	#endif
310	insmod("ipt_layer7");
311
312	insmod("imq");
313	insmod("ipt_IMQ");
314	insmod("xt_IMQ");
315
316	// set-up mark/filter tables
317	system2("iptables -t mangle -F FILTER_OUT");
318	system2("iptables -t mangle -X FILTER_OUT");
319	system2("iptables -t mangle -N FILTER_OUT");
320
321	system2("iptables -t mangle -F SVQOS_OUT");
322	system2("iptables -t mangle -X SVQOS_OUT");
323	system2("iptables -t mangle -N SVQOS_OUT");
324	system2("iptables -t mangle -A SVQOS_OUT -j CONNMARK --restore");
325	system2("iptables -t mangle -A SVQOS_OUT -m mark --mark 1 -j MARK --set-mark 0");
326	system2("iptables -t mangle -A SVQOS_OUT -j CONNMARK --save");
327	system2("iptables -t mangle -A SVQOS_OUT -m mark ! --mark 0 -j RETURN");
328	system2("iptables -t mangle -A SVQOS_OUT -j FILTER_OUT");
329	system2("iptables -t mangle -A SVQOS_OUT -j RETURN");
330
331	system2("iptables -t mangle -F FILTER_IN");
332	system2("iptables -t mangle -X FILTER_IN");
333	system2("iptables -t mangle -N FILTER_IN");
334
335	system2("iptables -t mangle -F SVQOS_IN");
336	system2("iptables -t mangle -X SVQOS_IN");
337	system2("iptables -t mangle -N SVQOS_IN");
338	system2("iptables -t mangle -A SVQOS_IN -j CONNMARK --restore");
339	system2("iptables -t mangle -A SVQOS_IN -m mark --mark 0 -j RETURN");
340	system2("iptables -t mangle -A SVQOS_IN -j FILTER_IN");
341	system2("iptables -t mangle -A SVQOS_IN -j RETURN");
342
343	system2("iptables -t mangle -F MARK_IN");
344	system2("iptables -t mangle -X MARK_IN");
345	system2("iptables -t mangle -N MARK_IN");
346	system2("iptables -t mangle -A MARK_IN -j CONNMARK --restore");
347	system2("iptables -t mangle -A MARK_IN -m mark ! --mark 0 -j RETURN");
348	system2("iptables -t mangle -A MARK_IN -j MARK --set-mark 1");
349	system2("iptables -t mangle -A MARK_IN -j CONNMARK --save");
350	system2("iptables -t mangle -A MARK_IN -j RETURN");
351
352	if (!strcmp(wshaper_dev, "WAN")) {
353	sysprintf("iptables -t mangle -D PREROUTING -i %s -j MARK_IN", wan_dev);
354	sysprintf("iptables -t mangle -I PREROUTING 1 -i %s -j MARK_IN", wan_dev);
355	sysprintf("iptables -t mangle -D POSTROUTING -o %s -j SVQOS_OUT", wan_dev);
356	sysprintf("iptables -t mangle -I POSTROUTING -o %s -j SVQOS_OUT", wan_dev);
357	} else {
358	sysprintf("iptables -t mangle -D PREROUTING -j MARK_IN");
359	sysprintf("iptables -t mangle -I PREROUTING 1 -j MARK_IN");
360	sysprintf("iptables -t mangle -D POSTROUTING -j SVQOS_OUT");
361	sysprintf("iptables -t mangle -I POSTROUTING -j SVQOS_OUT");
362	}
363	system2("iptables -t mangle -A POSTROUTING -m dscp --dscp ! 0 -j DSCP --set-dscp 0");
364
365	sysprintf("iptables -t mangle -D PREROUTING -j SVQOS_IN");
366	sysprintf("iptables -t mangle -I PREROUTING 2 -j SVQOS_IN");
367
368	if (!strcmp(wshaper_dev, "WAN")) {
369	sysprintf("iptables -t mangle -D INPUT -i %s -j IMQ --todev 0", wan_dev);
370	sysprintf("iptables -t mangle -A INPUT -i %s -j IMQ --todev 0", wan_dev);
371	sysprintf("iptables -t mangle -D FORWARD -i %s -j IMQ --todev 0", wan_dev);
372	sysprintf("iptables -t mangle -A FORWARD -i %s -j IMQ --todev 0", wan_dev);
373	}
374	if (!strcmp(wshaper_dev, "LAN"))
375	{
376	if ( !client_bridged_enabled() && nvram_invmatch("wan_proto", "disabled") )
377	{
378	sysprintf("iptables -t mangle -D INPUT -i %s -j IMQ --todev 0", wan_dev);
379	sysprintf("iptables -t mangle -A INPUT -i %s -j IMQ --todev 0", wan_dev);
380	sysprintf("iptables -t mangle -D FORWARD -i %s -j IMQ --todev 0", wan_dev);
381	sysprintf("iptables -t mangle -A FORWARD -i %s -j IMQ --todev 0", wan_dev);
382
383	sysprintf("iptables -t mangle -D INPUT -i ! %s -j IMQ --todev 1", wan_dev);
384	sysprintf("iptables -t mangle -A INPUT -i ! %s -j IMQ --todev 1", wan_dev);
385	sysprintf("iptables -t mangle -D FORWARD -i ! %s -o ! %s -j IMQ --todev 1", wan_dev, wan_dev);
386	sysprintf("iptables -t mangle -A FORWARD -i ! %s -o ! %s -j IMQ --todev 1", wan_dev, wan_dev);
387	} else {
388	sysprintf("iptables -t mangle -D INPUT -j IMQ --todev 1");
389	sysprintf("iptables -t mangle -A INPUT -j IMQ --todev 1");
390	sysprintf("iptables -t mangle -D FORWARD -j IMQ --todev 1");
391	sysprintf("iptables -t mangle -A FORWARD -j IMQ --todev 1");
392	}
393	}
394
395	/* set up marking rules */
396	system2("iptables -t mangle -A FILTER_IN -j CONNMARK --restore");
397
398	system2("iptables -t mangle -A FILTER_OUT -j CONNMARK --restore");
399	system2("iptables -t mangle -A FILTER_OUT -p tcp -m length --length 0:64 --tcp-flags ACK ACK -j CLASSIFY --set-class 1:100");
400	system2("iptables -t mangle -A FILTER_OUT -m layer7 --l7proto dns -j MARK --set-mark 14");
401
402	/* add openvpn filter rules */
403	#ifdef HAVE_AQOS
404	#ifdef HAVE_OPENVPN
405	if ( nvram_invmatch("openvpn_enable", "0")
406	\|\| nvram_invmatch("openvpncl_enable", "0"))
407	{
408	char iflist[256];
409	static char word[256];
410	char *next;
411	bool unbridged_tap = 0;
412
413	insmod("xt_dscp");
414	insmod("xt_DSCP");
415
416	system2("iptables -t mangle -F VPN_IN");
417	system2("iptables -t mangle -X VPN_IN");
418	system2("iptables -t mangle -N VPN_IN");
419	system2("iptables -t mangle -A VPN_IN -j CONNMARK --save");
420
421	system2("iptables -t mangle -F VPN_OUT");
422	system2("iptables -t mangle -X VPN_OUT");
423	system2("iptables -t mangle -N VPN_OUT");
424
425	system2("iptables -t mangle -I SVQOS_OUT 2 -m dscp --dscp 10 -j MARK --set-mark 100");
426	system2("iptables -t mangle -I SVQOS_OUT 2 -m dscp --dscp 1 -j MARK --set-mark 10");
427	system2("iptables -t mangle -I SVQOS_OUT 2 -m dscp --dscp 2 -j MARK --set-mark 20");
428	system2("iptables -t mangle -I SVQOS_OUT 2 -m dscp --dscp 3 -j MARK --set-mark 30");
429	system2("iptables -t mangle -I SVQOS_OUT 2 -m dscp --dscp 4 -j MARK --set-mark 40");
430	system2("iptables -t mangle -I SVQOS_OUT 8 -m dscp --dscp ! 0 -j DSCP --set-dscp 0");
431
432	// look for present tun-devices
433	if(getifcount("tun")) {
434	system2("iptables -t mangle -I PREROUTING 2 -i tun+ -j VPN_IN");
435	system2("iptables -t mangle -I INPUT 1 -i tun+ -j IMQ --todev 0");
436	system2("iptables -t mangle -I FORWARD 1 -i tun+ -j IMQ --todev 0");
437	system2("iptables -t mangle -I POSTROUTING 1 -o tun+ -j VPN_OUT");
438	}
439
440	// look for present tap-devices
441	if (getifcount("tap"))
442	{
443	writeproc("/proc/sys/net/bridge/bridge-nf-call-arptables","1");
444	writeproc("/proc/sys/net/bridge/bridge-nf-call-ip6tables","1");
445	writeproc("/proc/sys/net/bridge/bridge-nf-call-iptables","1");
446	insmod("xt_physdev");
447	insmod("ebtables");
448
449	getIfList(iflist, "tap");
450	foreach(word, iflist, next) {
451	if (is_in_bridge(word)) {
452	sysprintf("iptables -t mangle -I PREROUTING 2 -m physdev --physdev-in %s -j VPN_IN", word);
453	sysprintf("iptables -t mangle -I INPUT 1 -m physdev --physdev-in %s -j IMQ --todev 0", word);
454	sysprintf("iptables -t mangle -I FORWARD 1 -m physdev --physdev-in %s -j IMQ --todev 0", word);
455	sysprintf("iptables -t mangle -I POSTROUTING -m physdev --physdev-out %s -j VPN_OUT", word);
456	} else
457	unbridged_tap = 1;
458	}
459
460	if (unbridged_tap) {
461	system2("iptables -t mangle -I PREROUTING 2 -i tap+ -j VPN_IN");
462	system2("iptables -t mangle -I INPUT 1 -i tap+ -j IMQ --todev 0");
463	system2("iptables -t mangle -I FORWARD 1 -i tap+ -j IMQ --todev 0");
464	system2("iptables -t mangle -I POSTROUTING 1 -o tap+ -j VPN_OUT");
465	}
466	}
467
468	//system2("iptables -t mangle -A POSTROUTING -m dscp --dscp ! 0 -j DSCP --set-dscp 0");
469
470	char *qos_vpn = nvram_safe_get("svqos_vpns");
471
472	/*
473	* vpn format is "interface level \| interface level \|" ..etc
474	*/
475	do {
476	if (sscanf(qos_vpn, "%32s %32s \|", data, level) < 2)
477	break;
478
479	/* incomming data */
480	sysprintf("iptables -t mangle -I VPN_IN 1 -i %s -j MARK --set-mark %s",
481	data, level);
482
483	/* outgoing data */
484	if (is_in_bridge(data))
485	sysprintf("iptables -t mangle -I VPN_OUT 1 -m physdev --physdev-out %s -j DSCP --set-dscp %d",
486	data, atoi(level)/10 );
487	else
488	sysprintf("iptables -t mangle -I VPN_OUT 1 -o %s -j DSCP --set-dscp %d",
489	data, atoi(level)/10 );
490
491	} while ((qos_vpn = strpbrk(++qos_vpn, "\|")) && qos_vpn++);
492	}
493	#endif
494	#endif
495
496	// if OSPF is active put it into the Express bucket for outgoing QoS
497	if (nvram_match("wk_mode", "ospf"))
498	system2
499	("iptables -t mangle -A FILTER_OUT -p ospf -m mark --mark 0 -j MARK --set-mark 20");
500
501	if(!strcmp(wshaper_dev, "LAN")) {
502	// don't let packages pass to iptables without ebtables loaded
503	writeproc("/proc/sys/net/bridge/bridge-nf-call-arptables","1");
504	writeproc("/proc/sys/net/bridge/bridge-nf-call-ip6tables","1");
505	writeproc("/proc/sys/net/bridge/bridge-nf-call-iptables","1");
506
507	insmod("ebtables");
508	// insmod("ebtable_nat");
509	// insmod("ebtable_filter");
510	// insmod("ebt_mark");
511	// insmod("ebt_mark_m");
512	// insmod("ebt_snat");
513	// insmod("ebt_dnat");
514	}
515
516	/*
517	* services format is "name type data level \| name type data level \|"
518	* ..etc
519	*/
520	do {
521	if (sscanf
522	(qos_svcs, "%31s %31s %31s %31s ", name, type, data,
523	level) < 4)
524	break;
525
526	if (strstr(type, "udp") \|\| strstr(type, "both")) {
527	sysprintf
528	("iptables -t mangle -A FILTER_OUT -p udp -m udp --dport %s -j MARK --set-mark %s",
529	data, level);
530	sysprintf
531	("iptables -t mangle -A FILTER_OUT -p udp -m udp --sport %s -j MARK --set-mark %s",
532	data, level);
533
534	sysprintf
535	("iptables -t mangle -A FILTER_IN -p udp -m udp --dport %s -j MARK --set-mark %s",
536	data, level);
537	sysprintf
538	("iptables -t mangle -A FILTER_IN -p udp -m udp --sport %s -j MARK --set-mark %s",
539	data, level);
540	}
541
542	// tcp and L7 is managed on both ingress and egress
543	if (strstr(type, "tcp") \|\| strstr(type, "both")) {
544	sysprintf
545	("iptables -t mangle -A FILTER_OUT -p tcp -m tcp --dport %s -j MARK --set-mark %s",
546	data, level);
547	sysprintf
548	("iptables -t mangle -A FILTER_OUT -p tcp -m tcp --sport %s -j MARK --set-mark %s",
549	data, level);
550	sysprintf
551	("iptables -t mangle -A FILTER_IN -p tcp -m tcp --dport %s -j MARK --set-mark %s",
552	data, level);
553	sysprintf
554	("iptables -t mangle -A FILTER_IN -p tcp -m tcp --sport %s -j MARK --set-mark %s",
555	data, level);
556	}
557
558	if (strstr(type, "l7")) {
559	sysprintf
560	("iptables -t mangle -A FILTER_OUT -m layer7 --l7proto %s -j MARK --set-mark %s",
561	name, level);
562	sysprintf
563	("iptables -t mangle -A FILTER_IN -m layer7 --l7proto %s -j MARK --set-mark %s",
564	name, level);
565	}
566	#ifdef HAVE_OPENDPI
567	if (strstr(type, "dpi")) {
568	sysprintf
569	("iptables -t mangle -A FILTER_OUT -m opendpi --%s -j MARK --set-mark %s",
570	name, level);
571	sysprintf
572	("iptables -t mangle -A FILTER_IN -m opendpi --%s -j MARK --set-mark %s",
573	name, level);
574	}
575	#endif
576
577	if (strstr(type, "p2p")) {
578
579	char *proto = NULL;
580	char *realname = name;
581
582	if (!strcasecmp(realname, "applejuice"))
583	proto = "apple";
584	else if (!strcasecmp(realname, "ares"))
585	proto = "ares";
586	else if (!strcasecmp(realname, "bearshare"))
587	proto = "gnu";
588	else if (!strcasecmp(realname, "bittorrent"))
589	proto = "bit";
590	else if (!strcasecmp(realname, "directconnect"))
591	proto = "dc";
592	else if (!strcasecmp(realname, "edonkey"))
593	proto = "edk";
594	else if (!strcasecmp(realname, "gnutella"))
595	proto = "gnu";
596	else if (!strcasecmp(realname, "kazaa"))
597	proto = "kazaa";
598	else if (!strcasecmp(realname, "mute"))
599	proto = "mute";
600	else if (!strcasecmp(realname, "soulseek"))
601	proto = "soul";
602	else if (!strcasecmp(realname, "waste"))
603	proto = "waste";
604	else if (!strcasecmp(realname, "winmx"))
605	proto = "winmx";
606	else if (!strcasecmp(realname, "xdcc"))
607	proto = "xdcc";
608	if (proto) {
609	insmod("ipt_ipp2p");
610	sysprintf
611	("iptables -t mangle -A FILTER_OUT -p tcp -m ipp2p --%s -j MARK --set-mark %s",
612	proto, level);
613	sysprintf
614	("iptables -t mangle -A FILTER_IN -p tcp -m ipp2p --%s -j MARK --set-mark %s",
615	proto, level);
616	if (!strcmp(proto, "bit")) {
617	// bittorrent detection enhanced
618	#ifdef HAVE_MICRO
619	sysprintf
620	("iptables -t mangle -A FILTER_OUT -m layer7 --l7proto bt -j MARK --set-mark %s\n",
621	level);
622	sysprintf
623	("iptables -t mangle -A FILTER_IN -m layer7 --l7proto bt -j MARK --set-mark %s\n",
624	level);
625	#else
626	sysprintf
627	("iptables -t mangle -A FILTER_OUT -m length --length 0:550 -m layer7 --l7proto bt -j MARK --set-mark %s\n",
628	level);
629	sysprintf
630	("iptables -t mangle -A FILTER_IN -m length --length 0:550 -m layer7 --l7proto bt -j MARK --set-mark %s\n",
631	level);
632	#endif
633	sysprintf
634	("iptables -t mangle -A FILTER_OUT -m layer7 --l7proto bt1 -j MARK --set-mark %s\n",
635	level);
636	sysprintf
637	("iptables -t mangle -A FILTER_IN -m layer7 --l7proto bt1 -j MARK --set-mark %s\n",
638	level);
639	sysprintf
640	("iptables -t mangle -A FILTER_OUT -m layer7 --l7proto bt2 -j MARK --set-mark %s\n",
641	level);
642	sysprintf
643	("iptables -t mangle -A FILTER_IN -m layer7 --l7proto bt2 -j MARK --set-mark %s\n",
644	level);
645	}
646	}
647	}
648	} while ((qos_svcs = strpbrk(++qos_svcs, "\|")) && qos_svcs++);
649
650	#ifndef HAVE_AQOS
651
652	char *qos_ipaddr = nvram_safe_get("svqos_ips");
653	char *qos_mac = nvram_safe_get("svqos_macs");
654
655	/*
656	* mac format is "mac level \| mac level \|" ..etc
657	*/
658	do {
659	if (sscanf(qos_mac, "%31s %31s \|", data, level) < 2)
660	break;
661
662	sysprintf
663	("iptables -t mangle -A FILTER_IN -m mac --mac-source %s -m mark --mark 1 -j MARK --set-mark %s",
664	data, level);
665	}
666	while ((qos_mac = strpbrk(++qos_mac, "\|")) && qos_mac++);
667
668	/*
669	* ipaddr format is "ipaddr level \| ipaddr level \|" ..etc
670	*/
671	do {
672
673	if (sscanf(qos_ipaddr, "%31s %31s \|", data, level) < 2)
674	break;
675
676	sysprintf
677	("iptables -t mangle -A FILTER_OUT -s %s -m mark --mark 0 -j MARK --set-mark %s",
678	data, level);
679	sysprintf
680	("iptables -t mangle -A FILTER_OUT -d %s -m mark --mark 0 -j MARK --set-mark %s",
681	data, level);
682	sysprintf
683	("iptables -t mangle -A FILTER_IN -s %s -m mark --mark 1 -j MARK --set-mark %s",
684	data, level);
685	sysprintf
686	("iptables -t mangle -A FILTER_IN -d %s -m mark --mark 1 -j MARK --set-mark %s",
687	data, level);
688	}
689	while ((qos_ipaddr = strpbrk(++qos_ipaddr, "\|")) && qos_ipaddr++);
690	#endif
691
692	// close mark-tables
693
694	system2("iptables -t mangle -A FILTER_IN -j CONNMARK --save");
695	system2("iptables -t mangle -A FILTER_IN -p tcp -m length --length 0:64 --tcp-flags ACK ACK -j MARK --set-mark 0x64");
696	system2("iptables -t mangle -A FILTER_IN -j RETURN");
697
698	system2("iptables -t mangle -A FILTER_OUT -j CONNMARK --save");
699	system2("iptables -t mangle -A FILTER_OUT -j RETURN");
700
701	// set port priority and port bandwidth
702	svqos_set_ports();
703
704	return 0;
705	}
706	#endif
707
708	void start_wshaper(void)
709	{
710	// int ret = 0;
711	char *dl_val;
712	char *ul_val;
713	char *mtu_val = "1500";
714
715	char *wshaper_dev;
716	char *wan_dev;
717	char *script_name;
718
719	wan_dev = get_wanface();
720	if (!wan_dev)
721	wan_dev = "xx";
722
723	wshaper_dev = nvram_safe_get("wshaper_dev");
724
725	if (!nvram_invmatch("qos_type", "0"))
726	script_name = "svqos";
727	else
728	script_name = "svqos2";
729
730	stop_wshaper();
731	if (!nvram_invmatch("wshaper_enable", "0"))
732	return;
733
734	if (!strcmp(wshaper_dev, "WAN") && (nvram_match("wan_proto", "disabled") \|\| client_bridged_enabled()) )
735	return;
736
737	if ((dl_val = nvram_safe_get("wshaper_downlink")) == NULL &&
738	atoi(dl_val) > 0)
739	return;
740	if ((ul_val = nvram_safe_get("wshaper_uplink")) == NULL &&
741	atoi(ul_val) > 0)
742	return;
743	mtu_val = get_mtu_val();
744
745	svqos_iptables();
746
747	if (!strcmp(wshaper_dev, "WAN"))
748	eval(script_name, ul_val, dl_val, wan_dev, mtu_val, "imq0");
749	else
750	eval(script_name, ul_val, dl_val, wan_dev, mtu_val, "imq0", "imq1");
751
752	#ifdef HAVE_AQOS
753	aqos_tables();
754	#endif
755
756	nvram_set("qos_done", "1");
757
758	return;
759	}
760
761	void stop_wshaper(void)
762	{
763	int ret = 0;
764
765	char *wan_dev = get_wan_face();
766	if (!wan_dev)
767	wan_dev = "xx";
768
769	char *script_name;
770	if (!nvram_invmatch("qos_type", "0"))
771	script_name = "svqos";
772	else
773	script_name = "svqos2";
774
775	nvram_set("qos_done", "0");
776
777	eval(script_name, "stop", "XX", wan_dev, "XX", "imq0", "imq1");
778
779	#ifdef HAVE_RB500
780	ret = eval(script_name, "stop", "XX", "eth0");
781	ret = eval(script_name, "stop", "XX", "ath0");
782	#elif HAVE_XSCALE
783	ret = eval(script_name, "stop", "XX", "ixp0");
784	ret = eval(script_name, "stop", "XX", "ixp1");
785	ret = eval(script_name, "stop", "XX", "ath0");
786	ret = eval(script_name, "stop", "XX", "ath1");
787	#elif HAVE_LAGUNA
788	ret = eval(script_name, "stop", "XX", "eth0");
789	ret = eval(script_name, "stop", "XX", "eth1");
790	#elif HAVE_MAGICBOX
791	ret = eval(script_name, "stop", "XX", "eth0");
792	ret = eval(script_name, "stop", "XX", "ath0");
793	#elif HAVE_RB600
794	ret = eval(script_name, "stop", "XX", "eth0");
795	ret = eval(script_name, "stop", "XX", "eth1");
796	ret = eval(script_name, "stop", "XX", "eth2");
797	ret = eval(script_name, "stop", "XX", "ath0");
798	ret = eval(script_name, "stop", "XX", "ath1");
799	ret = eval(script_name, "stop", "XX", "ath2");
800	ret = eval(script_name, "stop", "XX", "ath3");
801	ret = eval(script_name, "stop", "XX", "ath4");
802	ret = eval(script_name, "stop", "XX", "ath5");
803	ret = eval(script_name, "stop", "XX", "ath6");
804	ret = eval(script_name, "stop", "XX", "ath7");
805	#elif HAVE_NS2
806	ret = eval(script_name, "stop", "XX", "eth0");
807	ret = eval(script_name, "stop", "XX", "ath0");
808	#elif HAVE_LC2
809	ret = eval(script_name, "stop", "XX", "eth0");
810	ret = eval(script_name, "stop", "XX", "ath0");
811	#elif HAVE_BS2
812	ret = eval(script_name, "stop", "XX", "eth0");
813	ret = eval(script_name, "stop", "XX", "ath0");
814	#elif HAVE_PICO2
815	ret = eval(script_name, "stop", "XX", "eth0");
816	ret = eval(script_name, "stop", "XX", "ath0");
817	#elif HAVE_PICO5
818	ret = eval(script_name, "stop", "XX", "eth0");
819	ret = eval(script_name, "stop", "XX", "ath0");
820	#elif HAVE_MS2
821	ret = eval(script_name, "stop", "XX", "eth0");
822	ret = eval(script_name, "stop", "XX", "ath0");
823	#elif HAVE_BS2HP
824	ret = eval(script_name, "stop", "XX", "eth0");
825	ret = eval(script_name, "stop", "XX", "ath0");
826	#elif HAVE_LS2
827	ret = eval(script_name, "stop", "XX", "vlan0");
828	ret = eval(script_name, "stop", "XX", "vlan2");
829	ret = eval(script_name, "stop", "XX", "ath0");
830	#elif HAVE_SOLO51
831	ret = eval(script_name, "stop", "XX", "vlan0");
832	ret = eval(script_name, "stop", "XX", "vlan2");
833	ret = eval(script_name, "stop", "XX", "ath0");
834	#elif HAVE_LS5
835	ret = eval(script_name, "stop", "XX", "eth0");
836	ret = eval(script_name, "stop", "XX", "ath0");
837	#elif HAVE_WRT54G2
838	ret = eval(script_name, "stop", "XX", "vlan1");
839	ret = eval(script_name, "stop", "XX", "vlan2");
840	ret = eval(script_name, "stop", "XX", "ath0");
841	#elif HAVE_RTG32
842	ret = eval(script_name, "stop", "XX", "vlan1");
843	ret = eval(script_name, "stop", "XX", "vlan2");
844	ret = eval(script_name, "stop", "XX", "ath0");
845	#elif HAVE_DIR300
846	ret = eval(script_name, "stop", "XX", "vlan0");
847	ret = eval(script_name, "stop", "XX", "vlan2");
848	ret = eval(script_name, "stop", "XX", "ath0");
849	#elif HAVE_MR3202A
850	ret = eval(script_name, "stop", "XX", "vlan1");
851	ret = eval(script_name, "stop", "XX", "vlan2");
852	ret = eval(script_name, "stop", "XX", "ath0");
853	#elif HAVE_RT2880
854	ret = eval(script_name, "stop", "XX", "eth2");
855	ret = eval(script_name, "stop", "XX", "vlan1");
856	ret = eval(script_name, "stop", "XX", "vlan2");
857	ret = eval(script_name, "stop", "XX", "ra0");
858	ret = eval(script_name, "stop", "XX", "apcli0");
859	#elif HAVE_FONERA
860	ret = eval(script_name, "stop", "XX", "eth0");
861	ret = eval(script_name, "stop", "XX", "vlan0");
862	ret = eval(script_name, "stop", "XX", "vlan1");
863	ret = eval(script_name, "stop", "XX", "ath0");
864	#elif HAVE_WHRAG108
865	ret = eval(script_name, "stop", "XX", "eth0");
866	ret = eval(script_name, "stop", "XX", "eth1");
867	ret = eval(script_name, "stop", "XX", "ath0");
868	ret = eval(script_name, "stop", "XX", "ath1");
869	#elif HAVE_PB42
870	ret = eval(script_name, "stop", "XX", "eth0");
871	ret = eval(script_name, "stop", "XX", "eth1");
872	ret = eval(script_name, "stop", "XX", "ath0");
873	ret = eval(script_name, "stop", "XX", "ath1");
874	#elif HAVE_WR941
875	ret = eval(script_name, "stop", "XX", "vlan0");
876	ret = eval(script_name, "stop", "XX", "vlan1");
877	ret = eval(script_name, "stop", "XX", "ath0");
878	#elif HAVE_WA901v1
879	ret = eval(script_name, "stop", "XX", "eth1");
880	ret = eval(script_name, "stop", "XX", "ath0");
881	#elif HAVE_WR703
882	ret = eval(script_name, "stop", "XX", "eth1");
883	ret = eval(script_name, "stop", "XX", "ath0");
884	#elif HAVE_WR741
885	ret = eval(script_name, "stop", "XX", "eth0");
886	ret = eval(script_name, "stop", "XX", "eth1");
887	ret = eval(script_name, "stop", "XX", "ath0");
888	#elif HAVE_WR1043
889	ret = eval(script_name, "stop", "XX", "vlan1");
890	ret = eval(script_name, "stop", "XX", "vlan2");
891	ret = eval(script_name, "stop", "XX", "ath0");
892	#elif HAVE_WZRG450
893	ret = eval(script_name, "stop", "XX", "vlan1");
894	ret = eval(script_name, "stop", "XX", "vlan2");
895	ret = eval(script_name, "stop", "XX", "ath0");
896	#elif HAVE_DIR632
897	ret = eval(script_name, "stop", "XX", "eth0");
898	ret = eval(script_name, "stop", "XX", "eth1");
899	ret = eval(script_name, "stop", "XX", "ath0");
900	#elif HAVE_WNR2000
901	ret = eval(script_name, "stop", "XX", "eth0");
902	ret = eval(script_name, "stop", "XX", "eth1");
903	ret = eval(script_name, "stop", "XX", "ath0");
904	#elif HAVE_WASP
905	ret = eval(script_name, "stop", "XX", "vlan1");
906	ret = eval(script_name, "stop", "XX", "vlan2");
907	ret = eval(script_name, "stop", "XX", "ath0");
908	#elif HAVE_WHRHPGN
909	ret = eval(script_name, "stop", "XX", "eth0");
910	ret = eval(script_name, "stop", "XX", "eth1");
911	ret = eval(script_name, "stop", "XX", "ath0");
912	#elif HAVE_LSX
913	ret = eval(script_name, "stop", "XX", "eth0");
914	ret = eval(script_name, "stop", "XX", "eth1");
915	ret = eval(script_name, "stop", "XX", "ath0");
916	ret = eval(script_name, "stop", "XX", "ath1");
917	ret = eval(script_name, "stop", "XX", "ath2");
918	#elif HAVE_DANUBE
919	ret = eval(script_name, "stop", "XX", "eth0");
920	ret = eval(script_name, "stop", "XX", "ath0");
921	#elif HAVE_WBD222
922	ret = eval(script_name, "stop", "XX", "eth0");
923	ret = eval(script_name, "stop", "XX", "eth1");
924	ret = eval(script_name, "stop", "XX", "eth2");
925	ret = eval(script_name, "stop", "XX", "ath0");
926	ret = eval(script_name, "stop", "XX", "ath1");
927	ret = eval(script_name, "stop", "XX", "ath2");
928	#elif HAVE_STORM
929	ret = eval(script_name, "stop", "XX", "eth0");
930	ret = eval(script_name, "stop", "XX", "ath0");
931	#elif HAVE_OPENRISC
932	ret = eval(script_name, "stop", "XX", "eth0");
933	ret = eval(script_name, "stop", "XX", "eth1");
934	ret = eval(script_name, "stop", "XX", "eth2");
935	ret = eval(script_name, "stop", "XX", "eth3");
936	ret = eval(script_name, "stop", "XX", "ath0");
937	#elif HAVE_ADM5120
938	ret = eval(script_name, "stop", "XX", "eth0");
939	ret = eval(script_name, "stop", "XX", "eth1");
940	ret = eval(script_name, "stop", "XX", "ath0");
941	#elif HAVE_TW6600
942	ret = eval(script_name, "stop", "XX", "eth0");
943	ret = eval(script_name, "stop", "XX", "ath0");
944	ret = eval(script_name, "stop", "XX", "ath1");
945	#elif HAVE_RDAT81
946	ret = eval(script_name, "stop", "XX", "eth0");
947	ret = eval(script_name, "stop", "XX", "ath0");
948	ret = eval(script_name, "stop", "XX", "ath1");
949	#elif HAVE_RCAA01
950	ret = eval(script_name, "stop", "XX", "vlan0");
951	ret = eval(script_name, "stop", "XX", "vlan1");
952	ret = eval(script_name, "stop", "XX", "ath0");
953	ret = eval(script_name, "stop", "XX", "ath1");
954	#elif HAVE_CA8PRO
955	ret = eval(script_name, "stop", "XX", "vlan0");
956	ret = eval(script_name, "stop", "XX", "vlan1");
957	ret = eval(script_name, "stop", "XX", "ath0");
958	#elif HAVE_CA8
959	ret = eval(script_name, "stop", "XX", "eth0");
960	ret = eval(script_name, "stop", "XX", "ath0");
961	#elif HAVE_X86
962	ret = eval(script_name, "stop", "XX", "eth0");
963	ret = eval(script_name, "stop", "XX", "ath0");
964	#else
965	ret = eval(script_name, "stop", "XX", "vlan1");
966	ret = eval(script_name, "stop", "XX", "eth1");
967	#endif
968	// ret = eval(script_name, "stop", "XX", "ppp0");
969	stop_firewall();
970	start_firewall();
971
972	//rmmod("ebt_dnat");
973	//rmmod("ebt_snat");
974	//rmmod("ebt_mark_m");
975	//rmmod("ebt_mark");
976	//rmmod("ebtable_filter");
977	//rmmod("ebtable_nat");
978
979	// don't let packages pass to iptables without ebtables loaded
980	writeproc("/proc/sys/net/bridge/bridge-nf-call-arptables","0");
981	writeproc("/proc/sys/net/bridge/bridge-nf-call-ip6tables","0");
982	writeproc("/proc/sys/net/bridge/bridge-nf-call-iptables","0");
983
984	#ifdef HAVE_OPENVPN
985	rmmod("xt_dscp");
986	rmmod("xt_DSCP");
987	rmmod("xt_physdev");
988	#endif
989
990	rmmod("ipt_mark");
991	rmmod("xt_mark");
992	rmmod("ipt_CONNMARK");
993	rmmod("xt_CONNMARK");
994	rmmod("/lib/opendpi/xt_opendpi.ko");
995	rmmod("ipt_layer7");
996	rmmod("ipt_mac");
997	rmmod("xt_mac");
998	rmmod("xt_IMQ");
999	rmmod("ipt_IMQ");
1000	rmmod("imq");
1001	rmmod("ebtables");
1002
1003	return;
1004	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: